This is a topic I have found myself explain quite often of late and one thing I can say with absolutely certainly from dealing with hundreds of developers of all levels over the years, from newbs to gurus, is that most devs in general do not really understand how things work on the server (they know how to write code and upload it to the server) and most CF devs additionally don’t understand how ColdFusion really works and how/why it differs from other scripting languages like PHP or Perl or ASP.net, so I decided it was time to write a complete blog post on the subject and hopefully to try and enlighten some of those develoeprs a bit more.

Now I have heard many say "I am just a developer, it is my job to write code, not to understand the server stuff", but i'm afraid I disagree with this and consider it a bit of a cop out, because If you don't understand how things work on the server to at least some degree, how can you be sure you are writing code that is going to be scalable, reliable and is not going to cause problems? Sure no-one should expect you to know EVERYTHING to the same level as a sysadmin, but you certainly should know the basics that are relevant to your job, especially if you are going to be making any hosting recommendations to your clients.

The first thing to understand, is that ColdFusion and Railo are not technically application servers (which most people believe them to be), they are simply Java applications (that convert CFML into Java bytecode) that run inside a java servlet container (e.g. Apache tomcat, Jetty, Jboss) which runs as a service/daemon, and all requests for all pages coming into the server go through that same service/daemon. This means that any problems with that service affect ALL CFML (or JSP)  websites on the server.
This is also a bad thing for security because it means that all sites on the server run within the security context of the service and so cannot have their own permissions. So any java code in any site can access files in site2, site3 or any other site on the server or in fact any part of the system that the service itself has access to. The only way round this is to use security sandboxes, which is a feature of ColdFusion enterprise and Railo.
But BEWARE, CF sandboxes can provide a false sense of security, they are only applied to CFML code and do not sandbox Java, so if you drop any Java code in your CFML pages (using CreateOnject(java), then you bypass the sandbox completely, so they not stop any vaguely competent coder/hacker. There is no way round this on a shared server, you simply have to take the risk. On a dedicated VPS you can mitigate this by using multiple instances of CF/Tomcat and isolating each site using server side permissions.

Before you say “so hosts shouldn't allow Java”, this also is not even an option for any host as all moden frameworks and apps need createObject(java), so disabling this function would break almost every modern application, ergo it is a risk that has to be taken, because at the end of the day 99% of clients simply don't care about the security risks, all they see is that their app doesn't work and will just go elsewhere.

When we look at other common languages such as PHP, Perl, asp.net etc, these run as an ISAPI or CGI process, so every website on the server spawns its own process to handle the requests. So if there are 20 PHP sites then there are 20 x PHP processes running (think of this like 20 instances of ColdFusion). The process runs within the security context of the website that spawned it, so in the case of Windows it runs under the application pool identity. So this means that as long as you have every website/application pool  set to run under a different user account with access only to that website root, and so will php also have only this permissions, so it is more secure and also isolates each site in a separate process.
So if site1 crashes php or ASP, it will have no effect on any other site because they are running php/ASP in a separate process.

Here is a diagram to illustrate.

This is the primary reason why CFML is not suited to shared hosting, no application isolation and no control over security.

Imagine the following (very common) scenario.

abc.com makes a cfhttp request to an external web service at xyz.com  to get syndicated content for its pages.
The web service at xyz.com goes down, which means all the pages on abc.com are now going to timeout. On a shared server this will very quickly result in all the ColdFusion max number of simultaneous requests to be consumed, and subsequent requests to then become queued. The result of this is that every other CFML site on the server now becomes slow as well as all their page requests have become queued behind the problematic site, and now are likely to also timeout as a result.

An even worse scenario is where native java requests are concerned, such as database queries as these cannot be killed automatically, not even with FusionReactor. If a page hangs in the middle of a database query because it is waiting for a response back from the db server, then this request will not ever timeout and will hang indefinitely, thus 1 cf thread is now no longer available. If this happens 10 times, now 10 cf threads are gone and no longer available, if your “max number of simultaneous  requests” is set to 10, then you now have 0 requests left and your server will stop serving up CFML and all websites will now hang/timeout untill the service is restarted.
If the original problem still exists then restarting CF also will not help, as the issue will simply continue until all the requests are again used up and all sites start to hang. The only solution at this point is to turn off the site causing the problem.

Then we have the security issues that I mentioned. Everyone by now is aware of the CFIDE hack which affected many cf servers. This was only possible because CF runs as service and because that service runs under the SYSTEM account by default, which has full file system access, which allowed the uploaded hack to access every part of the server. If CF worked like a CGI/ISAPI application, the effect of this hack would have been far less.

But my code has proper error trapping and caching and stuff, so this doesn’t affect me right ?

Wrong i’m afraid, on a shared server it doesn’t matter how brilliant your code is, or how well your have performance tested it, or how much error trapping you have, this does not stop the other sites on the server from causing you problems.
You could be lucky on a shared host for months or even years if you are on a server that doesn’t have many sites, or simple  sites that are not problematic (at the moment), but It only takes one poorly written app to bring CF to its knees.
It is also important to realise that almost nobody using shared hosting has ever done any kind of load testing or performance testing on their website and in most cases do not even know what this means or how to do it, the result of this is that web site owners have no idea how their site will perform under load nor did the developer who made it. This results in another very common scenario which usually begins with a statement like “Nothing has changed on my site and it has been running fine for years, so it must be your server”.
Again this is totally irrelevant in most cases, sure your site may well have been running fine for years with 20-50  visitors per day, but what happens when it suddenly gets 1000 visitors per day as a result of some marketing or media attention, or if it starts getting hit by search engine bots, suddenly this once stable site falls over horribly due to poorly written or legacy code.

But Railo is better right ?

Ultimately no i’m afraid, as Railo works the same way as CF so the primary issues mentioned above apply to Railo as well.

Railo is however an improvement in that the security sandboxing is automatically applied at website context root level (if you set this in your Railo server admin) and does not require admins to setup sandboxes for each site as with ColdFusion which is a sandboxing nightmare, which makes Railo better for shared hosting. However the sandboxes like ColdFusion's only sandbox CFML and can easily be overridden with Java code.
Railo also has its per site web admin allowing all users to admin their own site, which is again a bit improvement over ColdFusion which has a single Admin which must be administered by the host.
So by using Railo you don’t have to rely on your host, you can pretty much do everything yourself.

So what’s the solution ?

The only solution is to do some research, educate yourself and use a bit of common sense.
ColdFusion is intended to be an enterprise solution, and thus run on dedicated hosting solutions, it was never intended to be used for shared hosting and is not built to do this. So the simple answer is, use the right tool for the job.
If you just want to run a blog, personal website or simple brochure ware website and you don’t have your own server and only have the budget for shared hosting but do not want to be affected by the above problems, then use a technology more suited to this purpose, one that runs as a CGI/ISAPI process, the most popular of course being  PHP or ASP.net . Avoid any Java related choices as these will all suffer from the same issues.

If you love CFML and want to use it for everything you do, then do yourself a favour and get a VPS running Railo (or ColdFusion if you can afford it).
On your own VPS you then also have the option to use multiple CF instances, so each of your sites runs on a dedicated instance of Tomcat or whatever is your java servlet container of choice, so you can still run multiple sites but avoid the shared hosting scenario and also lock down the security.

I am going to use shared hosting anyway regardless, what do you suggest ?

If you really have no choice (or simply won’t take good advice), then here are some tips on choosing a host.

• Choose a host that specialises in Railo or ColdFusion and actually knows what they are doing, do not choose a generic host that simply has Railo/CF installed and classes this as SUPPORTED.
• Test your hosts knowledge, see how much they know about CF/Railo, ask to speak to a CF specialist.
• Make sure your host is secure
  • For ColdFusion they should be using enterprise edition, otherwise no sandboxes, and no security. If they are running standard edition, avoid.
  • Ask them if they run a bog standard out of the box CF installation, if yes then it is not locked down and is not secure.
  • Ask them if they use FusionReactor or HackMyCF. Preferably go with someone who says yes.
  • Ask them if they use security sandboxes, if no then avoid.
• Ask your host how many sites they run on each CF server. Too many = bad
• If you regularly need to setup data sources, mappings or anything that requires access to the CF Admin, you would be better of with Railo
• Ask if you can get RDS access, if they say yes avoid, as this should not be enabled in production
• Check if you can access the cfadmin or adminapi from your site, is yes, change host now.

Unfortunately there are very few noteworthy CF hosts these days, the ones I see most commonly recommended are Viviotech, Hostek, HostMySite (although not so much since they got taken over by hosting.com), BlueThunder (my company)

I have just recently been playing with mura in the last 2 days which I decided to use for the new CFLIVE website.

One function I need is to have menus/pages which will only be visible to logged in users. While Mura does allow you to restrict access to pages, it still displays the menus/links and allows access to the page but gives a login prompt instead of the page content, I could not find any way to hide the menu links as well.
On the Mura forums even BlueRiver themselves have suggested the only option is to create a hard coded menu instead, which really seems like a terrible work around to me, although that reply was 5 years old, so perhaps there was no better way to do it back then.

Anyway  I found a better solution, but please be aware as I said, I have only been using Mura for 2 days, and have no more than a few hours experience with Mura code at this point, so if there is a better way of doing this, feel free to let me know.

Open the file /requirements/mura/content/contentRenderer.cfc

find the "allowlink function, around line 287 and copy this function to your site's contentRenderer.cfm
e.g.
[site root]/default/includes/contentRenderer.cfc

now simply add the <cfelseif> block below, this will stop restricted pages showing in the menu if the user is not logged in.

<cfif  arguments.loggedIn and (arguments.restrict)>

                        <cfif arguments.restrictgroups eq '' or listFind(session.mura.memberships,'S2IsPrivate;#application.settingsManager.getSite(variables.event.getValue('siteID')).getPrivateUserPoolID()#') or listFind(session.mura.memberships,'S2')>

                                    <cfset allowLink=True>

                            <cfelseif arguments.restrictgroups neq ''>

                                    <cfset allowLink=False>

                                    <cfloop list="#arguments.restrictgroups#" index="G">

                                        <cfif listFind(session.mura.memberships,'#G#;#application.settingsManager.getSite(variables.event.getValue('siteID')).getPublicUserPoolID()#;1')>

                                        <cfset allowLink=true>

                                        </cfif>

                                    </cfloop>

                            </cfif>

            <!--- add this bit --->            



            <cfelseif !arguments.loggedin and arguments.restrict>

                <cfset allowLink=false>

            </cfif>

The advantage of the BonCode connector for me  is that is does away with the need of having ISAPI filters and the jakarta vDir, which is required when using the native tomcat connector.
The problem with the regular connector is that you cannot enable CF on a site simply  via the web.config file, you have to into IIS and do some work, or use ColdFusion's "web server config tool".
As I want to offer ColdFusion 10 on cfmldeveloper.com I need a way for users to be able to enable CF or Railo themselves without having to contact me, the best way to do this currently is with BonCode.

The current Railo installer now includes the BonCode connector as default, so that is covered, but ColdFusion 10 uses the regular connector and still has the above issues, so what if you want to run Railo and ColdFusion together on the same server using BonCode? Well with a bit of help from Bilal (the creator of Boncode) I managed to get this working.

Firstly install Railo as normal but DO NOT install the IIS connector, choose NO for that option.

Now open C:\railo\AJP13 and rename installer.settings to something else so that it is not used, if you know what you are doing with this file then feel free to use it instead, see the docs HERE.

Now run the connector_setup.exe and follow the steps, enabling any options you require, again refer to the docs for more details. For this article I am using only the default settings.

port 8009 is the Tomcat port that Railo uses, for ColdFusion you would use 8012

Make sure you choose "let me choose specific sites"

choose 1 site that you will enable Railo on for reference, I will use the default website.

Railo should now be working on the default website, if not, then just perform the steps below to do it manually.

Manually enabling Railo on additional websites

In your default web site root, you should have a BIN folder, simply copy this folder to any other site on which you wish to enable Railo.
You can also manually create the BIN folder and copy the following files from the C:\railo\AJP13 folder.

BonCodeAJP13.dll
BonCodeIIS.dll

You will also need to create a file named BonCodeAJP13.settings

The contents on this file are are in the aforementioned BonCode docs, but basically it will look like this.

<Settings>

<Server>localhost</Server>

<Port>8009</Port>

<EnableRemoteAdmin>True</EnableRemoteAdmin>

<EnableHeaderDataSupport>True</EnableHeaderDataSupport>

<ForceSecureSession>False</ForceSecureSession>

<AllowEmptyHeaders>False</AllowEmptyHeaders>

</Settings>

In IIS, you now need to create a managed handler for the site like this

The value for type is "BonCodeIIS.BonCodeCallHandler, BonCodeIIS, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ad590a40d40745cf"
You can find this value in  C:\railo\AJP13BonCodeFullHandlerName.txt

Or you can add it to your web.config handlers section like this.

<add name="Boncode CFML" path="*.cfm" verb="*" type="BonCodeIIS.BonCodeCallHandler, BonCodeIIS, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ad590a40d40745cf" resourceType="Unspecified" preCondition="integratedMode" />

Enable Coldfusion 10 on any website

Install ColdFusion 10 in the usual way, but DO NOT enable the built in connector on any websites.

Now simply do as per the Railo instructions above, except change the settings file as follows. Note the port is 8012 and the EnableAdobeMode setting.

<Settings>

<Server>localhost</Server>

<Port>8012</Port>

<EnableRemoteAdmin>True</EnableRemoteAdmin>

<EnableHeaderDataSupport>True</EnableHeaderDataSupport>

<ForceSecureSession>False</ForceSecureSession>

<AllowEmptyHeaders>False</AllowEmptyHeaders>

<EnableAdobeMode>True</EnableAdobeMode>

</Settings>

Some hints and Tips

Verify engine

If you want to test whether you are using Cf or Railo simply do a

<cfdump var="#server#">

If for some reason all your sites are showing Railo and not CF, and you definitely have the port set to 8012 in the settings file, then you probably have the global configuration set in IIS from a previous Railo installation where you chose to install to all sites.
In which case just download the standalone BonCode connector installer from the website and run the uninstaller, and then run the setup again following above instructions.

No default documents

If you use the wildcard handler (which you will need to enable the CF virtual mappings), you will find that default documents no longer work. To fix this you need to add your default docs to the <welcome-file-list> in tomcat.
You do this in the following file:-
C:\ColdFusion10\cfusion\runtime\conf\web.xml

Wildcard handler

The wildcard handler is required for various functionality of CF which replies on virtual mappings (directories which do not really exist). Using a wildcard handler means that *ALL* traffic goes through Tomcat, so css, js and html files too, which can cause other problems. If you do find this to be problematic then to get round this, you can create empty directories for all the virtual mappings, and stick a web.config file in those folders, and enable the wildcard handler *ONLY* on those folders.

the folders are:-

/CFFormGateway
/flex2gateway
/CFFileServlet
/cfform-internal
/flashservices/gateway
/flex-internal
/rest

your web.config entry would look like this

<add name="Boncode CFML Wildcard" path="*" verb="*" type="BonCodeIIS.BonCodeCallHandler, BonCodeIIS, Version=1.0.0.0, Culture=neutral, PublicKeyToken=ad590a40d40745cf" resourceType="Unspecified" preCondition="integratedMode" />

CFDUMP is an invaluable tag, it helps immensely with debugging and viewing your objects, but annoyingly it requires CreateObject(java) to work, which is often disabled on shared hosting for security reasons, or even if you run your own server perhaps you need to keep createObject(java) disabled but still use CFDump.

This alternative custom tag gives you the functionality of CFDUMP using JavaScript instead.

I originally created this for use on cflive.net because createObject(java) is disabled and considering what cflive is intended for cfdump is definitely required. A few people have asked how I did it so I thought I would release it for the benefit of anyone else who may want to use it.

Note that because it uses JavaScript this is only good for generating dumps to the browser. If you wanted to create a CFDump on the server and put it into an email, then this will not help you a sthere is of course no JavaScript there to render the code.

You can try it out at www.cflive.net where I have used it to replace the original cfdump tag, so just use <cfdump var="#cgi#"> for example.

This tag was created using the JavaScript dump code from Net Grow, which I have modified slightly to give the following additional functionality.

• allow multiple dumps on the same page
• new label attribute to emulate the original cfdump
• plus of course to generate dumps via CFML pages.

You can download the tag here.

How to use

• As a custom tag
  simply drop dump.cfm into your global custom Tags folder or into any folder which you have mapped as a customTags folder in your application.cfc
  or just drop into the same folder from which you are calling it, then call it as per any normal custom tag.
  e.g.
  <cf_dump var="#cgi#" label="CGI Scope">
• via CFIMPORT
  If you do not know how to use cfimport, then go here
  e.g.
  <cfimport prefix="" taglib="/customTags">
  <dump var="#cgi#" label="CGI Scope">
• Replace the original CFDUMP tag
  If you want all your existing code to work without any changes then you can simply replace the original cfdump tags with mine.
  Here are example locations where you will find the tag, you can just do a search for "dump.cfm" inside your CF or Railo installation
  • ColdFusion 9 location
    C:\ColdFusion9\wwwroot\WEB-INF\cftags\dump.cfm
  • ColdFusion 10 location
    C:\ColdFusion10\cfusion\wwwroot\WEB-INF\cftags\dump.cfm
  • Railo location
    C:\railo4\railo-server\context\library\tag
    Railo uses a dump.cfc by default, but if you copy dump.cfm into this folder it will take precedence over dump.cfc

One of my Railo sites has a scheduled task which is supposed to run every night at midnight, which I noticed recently had not been running as it usually sends me an email. After an initial bit of head scratching the cause was actually obvious, if you understand how helicon zoo works and how Railo runs inside Zoo, if you don't then I suggest reading THIS ARTICLE.

Because Railo runs as an IIS process using Helicon zoo, this means that the application shuts down after a period of inactivity as defined by your application pool settings, this is good in that it conserves system resources for sites which are not very busy, but it is also bad for Railo for several reasons.

• every time the application pool shuts down, so does Railo/Java.
• every time the application pool restarts, Railo must start up again, this can make initial page load rather slow.
• every time Railo shuts down, you lose anything that was cached, this must be reloaded again when railo restarts.
• scheduled tasks will of course not run when Railo is not running.

for a small site with no scheduled tasks this probably is not an issue, but if you run a site that does a lot of caching and has a slow start up time, such as mango Blog or Mura CMS, then this could be an issue. also if you have any scheduled tasks which you rely on, this also will be an issue.

In my case the problem was I had setup the scheduled task on the default website, which is never used for anything other than accessing the railo admin and running this scheduled task.

In case this is an issue for you then there are several workarounds.

1. you can Increase the application pool idle timeout, this is how long it will wait until it shuts down when idle.
   
2. setup a scheduled task that calls a CFM page on your site every 5 minutes, which in theory should keep it active, although this may not be the most reliable method.
3. RECOMMENDED: setup monitoring for your website which makes a http request every 5 minutes, thus keeping the site active. If you do not have your own monitoring system then you can find plenty of options on Google.
4. There are also plenty of websites out there which offer online cron jobs, many of which are free, you could use one of these to execute your scheduled tasks or just to keep your site active.
5. Use windows scheduler to run any page on your site every five minutes or just use this for your scheduled tasks instead of railo.
   you can do this using powershell, just set the following command to execute, replacing the url with your own. Make sure you have powershell installed of course.
   powershell.exe -command "(new-object system.net.webclient).downloadstring('http://yourdomain/task.cfm)"